The use of facial recognition has become a highly debated topic recently, and has increasingly and misleadingly been criticised by some for being an unethical tool used to spy on the public. The reason for such criticism is however largely due to lack of information and regulation around the technology.
Used proportionately and responsibly, facial recognition can and should be a force for good. It has the ability to do a lot more to increase security in the future – from street crime to airport security, all the way through to helping those battling addiction, the technology can take security and operations to new heights. These systems can memorise the faces of persons of interest, networks of gang members, wanted criminals and those suspected of involvement in serious violent crimes
The rise in knife crime
Knife crime has dominated the headlines in the UK throughout the year. Recent statistics show the number of people being admitted to emergency care due to attacks by a sharp object to be up by nearly 40 per cent from two years ago, whilst the number of children under the age of 18 being admitted to hospitals with stab wounds is up by 86 per cent in only four years.
This recent surge in knife crime has put police forces under immense pressure, and the intelligent use of facial recognition has a role to play in enabling more informed stop & search interventions.
Currently UK police can stop and search an individual they suspect to be carrying drugs or weapons or both, or they can stop and search a person in a location where there have been or are considered likely to be “incidents involving serious violence.” In both cases they must do so with access to limited information, leaving themselves open to accusations of bias or discrimination.
Knife crime dominated the headlines in the UK throughout 2018
Police systems benefiting crime investigations
This is where facial recognition can offer up additional intelligence. These systems can memorise the faces of persons of interest, networks of gang members, wanted criminals and those suspected of involvement in serious violent crimes. Furthermore, these systems don’t need prior personal engagement to recognise an individual and see only data, not gender, age or race. Facial recognition thus helps eliminate both weapons and criminals off the streets and potentially prevent crimes before they have a chance to take place.
The technology doesn’t take the decision away from the human police officer. However, it does bring greater transparency and context to the decision-making process of whether a stop and search intervention is justified.
Similarly, the advanced technology can recognise and match an individual seen on a CCTV camera at a crime scene to someone the police encounters on the streets some time later, justifying a stop and search on that individual.
Its ability to check in real time if a person is on a criminal watchlist adds an extra layer to the decision-making process prior to conducting a stop and search, lowering the likelihood of discrimination. Facial recognition thus helps eliminate both weapons and criminals off the streets and potentially prevent crimes before they have a chance to take place.
Gambling addiction and how facial recognition can help
There are an estimated 593,000 people in the UK currently battling a gambling problem, making it a serious public health issue in the country. Having understood the gravity of the issue, the UK gambling commission have set limits and advice in place to help those suffering this addiction; yet as with all addictions, gambling is a tough habit to beat. In order to put effective limitations in place and make a real difference, the gambling commission needs the right technology to protect those most vulnerable in the industry.
Facial recognition technology is able to keep track of customers and thus help gambling companies in protecting their customers
Facial recognition technology is able to keep track of customers and thus help gambling companies in protecting their customers to a higher degree. Monitoring those entering and moving around gambling areas is an extremely difficult task for human staff to do alone, especially in large crowded areas such as casinos.
Facial recognition technology installed around the premises would be able to help the company and the staff to identify people who have registered as gambling addicts, and keep record of their day’s play in order to inform staff if and when it was time for them to stop. It would also be able to ensure effective self-exclusion procedures, by identifying a self-excluded individual via CCTV as soon as they entered the venue to then allow security staff to respectfully escort them out.
Utilising facial recognition at airport security
Facial recognition has by now become a normal sight at many airports around the world. Several people today hold a so-called biometric passport, which allows them to skip the normally longer queues and instead walk through an automated ePassport control to proceed to the gate faster without having to deal with control officers. Facial recognition used in this way has managed to significantly cut waiting times at the passport control, but it also has the ability to enhance security in and around airports. Facial recognition uses algorithms to match physical characteristics against photos and videos of people's faces
Earlier this year, facial recognition technology managed to catch an imposter trying to enter the US at the Washington Dulles Airport. The false passport may have been uncaught by the human eye, yet due to the accuracy of the facial recognition technology it managed to help officers catch the imposter and bring him to justice.
Facial recognition thus allows officers to identify an individual faster and more accurately than the human eye. Facial recognition uses algorithms to match physical characteristics against photos and videos of people's faces, which have been collected from visas, passports and other sources.
Facial recognition allows officers to identify an individual faster and more accurately than the human eye
At airports the use of facial recognition has proved to both enhance security as well as speed up processes such as check-inWhilst some critics may worry about issues of privacy related to the technology, at airports the use of facial recognition has proved to both enhance security as well as speed up processes such as check-in and, in the future, even boarding proceedings.
If used correctly and proportionately, facial recognition can help safeguard the public and improve national security on several fronts. Whilst the many benefits of facial recognition are evident, the lack of regulation and understanding of the technology has led to misconception around how it works and what it is used for.
Facial recognition technology can match faces in crowded public places against criminal watch lists, and register faces that match with those on criminal watch lists – whilst ignoring everyone else.

Terry Gold of D6 Research has been giving “cyber in physical security” presentations at a variety of conferences, including ISC West and the Cyber:Secured Forum. We caught up with him for some insights about the intersection of cybersecurity and physical security.
Q: Tell us a little bit about your background, specifically in the context of its relevance to cyber security in physical access.
Gold: I started out in information security and then got involved in physical security along the way. I started really focusing on physical from a cyber standpoint about 10 years ago. I got into ethical hacking about 8 years ago, and then worked on putting it all together. There wasn’t a roadmap, so I had to build a methodology which I now share with other hackers, end users and law enforcement.
I spend all my time either in the lab building success models, methods, and testing them out in some of the largest customers or agencies in the world for validation and improvement. Also, a chunk of my time is spent re-engineering security assessment and controls for end users or validating vendors on their behalf from a unique viewpoint that’s not (yet) typical in the industry.
Q: How well prepared is physical security overall against cyber threats?
Gold: Not well at all. While security is imperfect anywhere, much of the practices and designs have critical defects and overlook either best practice or fundamental application security principles. I’d say that the industry is very wide open for exploitation that doesn’t take much sophistication to execute. Breach disclosure laws are focused on mandatory reporting for personally identifiable information (PII)
Q: What things stand out to you along your journey regarding the changes that you are seeing on this topic?
Gold: Culture. Over the years, the industry (and most end users) have been dismissive of my findings. Industry culture hasn’t been aligned to embrace the topic and make requisite improvements that are needed to achieve “good security.” However, I’m finally starting to see that change – quickly and at scale. It doesn’t mean that we’re close to “good,” but rather reached the inflection point of change – and I’m rather pleased about it.
Breach disclosure laws has resulted in IT getting a lot of media attention in comparison to hacks made against physical security
Q: D6 does a lot of research in this area. What is the analysis behind the recent push for cyber security in physical security?
Gold: First, it must be recognised that the threat isn’t new, but rather that the industry is only now coming to the table on it. Industry sentiment has been that breaches in physical security don’t happen or that there’s little impact.It must be recognised that the threat isn’t new, but rather that the industry is only now coming to the table on it Both are false. Mainly, IT gets all the media attention with breaches for two reasons; 1) breach disclosure laws are focused on mandatory reporting for personally identifiable information (PII), and 2) there is really poor detection (mostly non-existent) against hacks in physical security, so they go unrecognised.
On the other side, as physical security systems increasingly resemble an IT architecture, so does their risk profile. As it expands to mobile, cloud, IOT and intelligence - InfoSec and auditors are taking a look and are alarmed at what they’re seeing. Before you know it, the scrutiny is cutting pretty deep, pressure for alignment becomes intense, and vendors feel the pinch on the sales cycles. It’s not a comfortable position for anyone.
Q: What will be the projected impact? Are practitioners seeing the whole picture?
Gold: No, and this area is probably the most important takeaway of this interview. The industry is where InfoSec was about 15 years ago in their journey, except we have an additional headwind to deal with – culture change. This industry tends to rely more on trusted relationships than validating the recommendations are being provided. There are too many prevailing misconceptions, that unless remediated, investments won’t be as effective as expected.
Q: What do you believe are the top misconceptions?
Gold: Well, this is a longer topic, but here’s a sampling that cuts across different areas.
Regarding hackers: A misconception is that they’re generally not interested. Hackers are increasingly very interested. When I teach a workshop at a hacker conference, it’s usually the quickest to fill up and go to wait list (within a couple hours).
Regarding attacks: A misconception is that attacks are executed directly against the target system. Example, their goal is to get into VMS and attack it directly. The reality is that they’re more commonly dynamic where physical is part of a larger attack and its role is an easier gateway to another system (or vice versa, with many hops).
Regarding protective measures. The most prevalent mistake that the industry is currently making is too much focus and reliance on air-gapping networks or locking ports. This is only a slice of the attack surface and there are various ways to get around it. There’s a heavy price to pay for those that that rely too much on this strategy since its often accompanied by few mechanisms to deal with actors once they do get in (and they definitely will).
Regarding the value of exploiting physical security. Too often perceived as low value. In our white paper we review many of the things that hackers can do, what they gain, and how it can impact the overall organisation. It’s far broader and deeper than most.
Q: What are the top things that need to change in the industry?
Gold: First, culture. This can be answered by adopting the same principles as InfoSec. From an execution standpoint, the industry needs to change how they perform risk assessments.At D6, we’ve developed a stepwise methodology from ground up and it’s a huge difference Industry practices, including certifications, are significantly outdated and don’t reflect a methodology that accurately considers cybersecurity, actors, methods, and proactive remedy. At D6, we’ve developed a stepwise methodology from ground up and it’s a huge difference. End users that don’t re-engineer their practice, will be very limited for meaningful cybersecurity improvement.
One of the changes needed in the industry includes how risk assessments are performed
Q: Generally, what advice do you give to clients on steps to move their cyber security to the next level?
Gold: Don’t operate like a silo anymore. Transition from industry “common practices” to best practices that can be validated. Rely less on previous relationships and more toward domain competence. Collaborate with the CISO to a principled, goal-oriented and metrics-based approach. Embed an InfoSec person on the physical team. Present priorities and risks jointly to the board within an overall risk portfolio. Invite scrutiny from auditors. Get a red team performed once a year. Until you do the last step, you don’t really know where you stand (but don’t do it until the other things are done). Last, set the bar higher with vendors to support these improvements or their products will just end up being weak link.
Q: What type of challenges do you see and any advice on how end user and integrators can overcome them? Lessons learned?
Gold: There are too many specific domains across cybersecurity – it’s not just a network security resourceFeedback I get from integrators is that they’re struggling to figure out how to deliver expertise to their clients in their area. They’re somewhat overwhelmed with the complexity, becoming an expert or how expensive it is to hire and maintain those skilled resources. My best advice is not to do either. There are too many specific domains across cybersecurity – it’s not just a network security resource. Not even the large integrators have the right bench, and unfortunately, they’re just further down a doomed path than smaller integrators. Form a partnership with boutique cybersecurity firms that have multiple specialists. Negotiate rates, margins, scope, and call on them when needed. It won’t come out of your bottom line, the results will be better, and the risk will be extremely low. You’ll learn along the way too.
Q: Anything notable that your research is uncovering in this area that might not be on people’s radar yet?
Gold: Yes, quite a bit. Our Annual Industry Assessment Report goes through every segment. We’re making pretty bold statements about the future and impact, but we’re confident. One thing that stands out is how intelligence (and the swath of subsets) will impose stringent demands on physical security due to attribute and data collection (for analysis) which will absolutely require privacy compliance, integrity, and controls. It will even shape organisations that might not care about cybersecurity but are prioritising function.
Q: Where can readers learn more about your perspectives on this topic?
Gold: Blogs on the D6research.com website. Our annual report. Val Thomas of Securicon and D6 have collaborated on a three-part cybersecurity in physical white paper series. It goes into all of this in detail, as well as remedy.

As buildings become more complex and smarter, the age-old traditional maintenance methods that are based mostly on hands-on human monitoring are becoming more and more inadequate. Instead, the world is fast adopting building automation as a key component of smarter and more proactive maintenance strategies.
The aim is to free up maintenance staff and give them time to focus on other tasks while machines monitor the different systems that work together to make the facility functional.
Specifically, Internet of Things - or, IoT - enablement appears set to transform the way facility managers deliver service to building occupants. The trends are many and the possibilities are almost mind-boggling, from inventory management, to work scheduling and energy efficiency, the list goes on and on. Below, we look at a few ways in which IoT is being used for Facility Management and Security.
Revolutionise maintenance through condition-based maintenance
For years now, the norm among maintenance professionals has been a time-based approach, or in simpler terms, performing maintenance operations after a set period of time. But a major flaw of this system is that components were being replaced periodically whether the parts were actually worn out or not.
Of course, that meant some of these maintenance activities simply weren’t cost-effective. To avoid this waste from continuing, a subset of IoT known as IIoT can now be used to optimise the maintenance process. IIoT works as a centralised network of connected systems and devices that can talk to one another and generate and relay data
Rather than changing parts on a time-based schedule, IIoT works as a centralised network of connected systems and devices that can talk to one another and generate and relay data. Selected equipment are fitted with sensors that monitor specific operational parameters and let maintenance professionals know how the machines under supervision are working, understand their current condition, and then pinpoint the optimum time they need to be maintained.
The information generated this way is vital as it allows maintenance staff to intervene just in time to avoid costly downtime and other associated inconveniences. This is, in a nutshell, the basics of predictive maintenance and condition-based maintenance.
These days, by implementing condition-based maintenance, IIoT is being used to effectively monitor a wide range of systems such as lighting, HVAC, fire suppression, security, etc.
The applications are numerous and so are the benefits. On page 52 of this guide by the US Department of Energy, they state that a functional predictive maintenance program could yield up to 10 times ROI, reduce maintenance costs by 25% to 30%, and reduce downtime by 35% to 45%
Along with fire suppression, IIoT is effectively monitoring a wide range of systems such as lighting, HVAC and security
Remote monitoring of facilities
Physical inspections have been a critical condition for the success of conventional maintenance programs, even in hazardous environments. But, with the increasing emphasis on personnel safety, organisations want alternative solutions that allow staff to examine assets without being physically present.
Facility managers and their team working in industries like manufacturing, oil and gas, and mining can relate with these constraints. And these industries can benefit greatly from deploying predictive maintenance solutions.
For example, in the oil and gas industry, IIoT sensors can be used to monitor remote and highly critical assets. These sensors can be used on pipelines to detect anomalies (especially corrosion) and pass that information to supervisors for necessary action. By doing this, potential failures are quickly predicted to avoid often disastrous incidents.
Managing energy consumption
Sensors are also being embedded in building components and devices like HVAC systems, lights, doors, windows to understand energy consumption and proactively manage it. Facilities that use this technology could achieve substantial energy savings. In a press release by IT research and advisory company, Gartner, they stated that IoT can help reduce the cost of energy - as well as spatial management and building maintenance - by up to 30%. Looking at HVAC systems very closely, we see that they are a major source of energy usage in any building
These sensors work by monitoring different conditions in the building and causing a power-saving action based on the data received. For instance, occupancy sensors can order lights to turn on when it senses motion in a room and then turn off the same lights when there is no presence there. That way, there is no need to wait for someone to remember to switch off the lights when they are not needed.
Another very common use is in HVAC monitoring. Looking at HVAC systems very closely, we see that they are a major source of energy usage in any building. So, the issue is how can one use IIoT to manage HVAC and possibly reduce their energy usage? Well, in its most common form, IoT-enabled HVAC works as a connection of sensors and thermostats that monitor factors like indoor air quality, temperature, and environmental changes then communicate with the rest of the HVAC equipment and make needed adjustments for occupants’ comfort. Not only that.
IoT-enabled HVAC works as a connection of sensors and thermostats that monitor factors like indoor air quality, temperature, and environmental changes
The technology can be configured to:
Track energy consumption at different distribution points throughout the building.
Track usage from the power source right down to the consumption point.
Detect sudden voltage drops or spikes (usually an indication of some fault).
These are essential benefits because HVAC units are notorious for consuming large amounts of energy when they are working inefficiently.
Security and access control
Smart surveillance is another important area of application for IoT in facilities management. It takes several forms such as the monitoring of life-saving systems like intruder or fire alarms, invisible barriers, and other safety installations. Facility managers are using IoT across different industries to obtain live information about potential emergency situations with a view to responding before the issue escalates.
In such cases, quick detection of any strange activity is key because many of these installations have tangible negative effects when they fail or when they are intentionally sabotaged.Smart surveillance is another important area of application for IoT in facilities management
Fortunately, the surveillance equipment can also be setup to send alerts to mobile phones to aid emergency response or evacuation as the case may be. Smart surveillance is also priceless for monitoring the situation in partially or fully automated remote facilities (especially oil and gas installations and mines), and in hostile environments with critical equipment where humans cannot work for extended periods of time. If you are not yet using IoT in your facility, you may be wondering where to start from.
To avoid getting overwhelmed, a good place to start would be to try a small-scale deployment of this technology then review its ROI and impact on your operations before adopting a more widespread IoT implementation. This way you can gradually scale up as you and your staff come to understand and adapt and to this new way of doing things.